On Tue, 27 Sep 2005 cgfreita@xxxxxxxxxxxxx wrote:
I am trying to convince Squid to allow me to run cachemgr or
squidclient. There is a rule blocking me. I am trying to collect the
data suggested by Henrik.
The default ruleset suggested in the squid.conf shipped by Squid allows
cachemgr access from localhost and localhost only, but if you have
inserted your rules in another order than suggested then it may be
possible that you have unintentionally overridden these rules.
What does your http_acces rules look like? It shoul look somehting like
the following:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# Deny users to proxy to localhost
http_access deny to_localhost
# your http_access rules
http_access ....
http_access ....
http_access ....
# And finally deny all other access to this proxy
http_access deny all
Actually my "firewall" is just a Linux machine with iptables.
It has Slackware 10.1, kernel 2.6.12.2 and iptables 1.3.2 and
was working fine until now. But, I have already included it
back in my "blacklist". I am wondering about connection
tracking feature.
The Linux iptables firewall is very good, but there has been some reports
about the TCP window tracking introduced in recent versions perhaps not
always getting things correct. If you suspect this may be the case then
you can try
echo 1 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
on the firewall. This marginally reduces the security of the TCP window
tracking making it behave more like the connection tracking in earlier
kernels.
but I doubt this is your problem.
Regards
Henrik
